Re: [web2py-dev] [web2py] Re: strange response.flash

Sun, 05 Aug 2012 20:45:19 -0700 

I think

    response.flash = A("Hello World", _href="#") 

should be allowed. It was always allowed. This is a backward compatibility 
issue. Yet I see there is a potential security issue there.
I am not sure what the exact solution should be. Perhaps automatic sanitization 
of flash messages before response?

    response.flash = XML(str(response.flash), sanitize=True).xml()


On Aug 5, 2012, at 10:22 PM, Niphlod wrote:

> Would serialized HTML messages be escaped then ?
> 
> What if someone uses response.flash = A("Hello World", _href="#") ?
> 
> On Monday, August 6, 2012 4:50:31 AM UTC+2, Anthony wrote:
> Bump. Should we replace str() with xmlescape() so Ajax flash messages get 
> escaped, just like regular flash messages and everything else in the view?
> 
> Anthony
> 
> On Saturday, August 4, 2012 9:23:53 PM UTC-4, Anthony wrote:
> On Saturday, August 4, 2012 7:00:18 PM UTC-4, dbdeveloper wrote:
> I do not understand what the problem with decodeURIComponent()?
> 
> When I tried trunk, I think there was a problem with the encoding of my 
> controller file (ANSI instead of UTF-8) -- in that case, I guess 
> urllib2.quote didn't yield the correct output for decodeURIComponent (same 
> problem in the earlier version, when the escaping was done on the client side 
> via the Javascript escape() function). Now it works.
> 
> In any case, a remaining issue is that there's still no escaping of 
> potentially dangerous content in the flash message. Everything written to 
> HTML by web2py is typically escaped, including regular flash messages. The 
> only content that isn't getting escaped are flash messages for Ajax 
> components. To be consistent (and safe), we should probably escape those 
> messages as well (you can always put them in an XML() if you don't want them 
> escaped, as with any template content). In main.py, I replaced:
> 
> urllib2.quote(str(response.flash).replace('\n',''))
> 
> with:
> 
> urllib2.quote(xmlescape(response.flash).replace('\n',''))
> 
> With that change, the flash message still looks fine (see screenshot below).
> 
> Anthony
> 
> 
> 
> 
> 
> 
> 
> -- 
> -- mail from:GoogleGroups "web2py-developers" mailing list
> make speech: web2py-develop...@googlegroups.com
> unsubscribe: web2py-developers+unsubscr...@googlegroups.com
> details : http://groups.google.com/group/web2py-developers
> the project: http://code.google.com/p/web2py/
> official : http://www.web2py.com/
>  
>  

--

Reply via email to